SANS ISC InfoSec Forums

An ISC reader, thanks Paul, notified us about a new SEO (Search Engine Optimization) poisoning attack doing the rounds in the last 6-8 hours. We have talked about this kind of attacks in the past, although they were mainly focused on other hot technological topics, major tragedies, or events. This time, the topic to get on top of the search engines result page is a TV reality show. Specifically, there is a TV show premiere in the US tonight called "Billy the Exterminator". The "wiki billy the exterminator" search term in Google (USE WITH CAUTION: http://www.google.com/search?q=wiki+billy+the+exterminator) shows the poisoning attack.

The compromised sites present the following URL format: /FILE.php?PARAM=billy%20the%20exterminator%20wiki, where FILE is most commonly a three letter file name, and PARAM is an input parameter (one or multiple characters). The affected sites are using a drive by attack, providing victims a fake AV warning message that drives them to download a piece of malware: "Warning! Your computer is vulnerable to malware attacks. We recommend you to check your system immediately. Press OK to start the process now.".

If you manage, or know someone that manages any of the affected sites, we would like to get details about the compromise in order to confirm the vulnerability exploited to get into . Please, send details through our contact page.(PHP related)